Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I give source string dynamically in COLLECT command?

tac24
New Member
‎07-11-2018 11:23 PM

I want to extract a value dynamically in a subsearch and give the value (string) to source= << string>> of COLLECT command. The following example is extracting YYYYMMDD from the source field and making "src_yyyymmdd" string that will be given to source=<< string>> of the COLLECT command. 

    main search... | collect index="ABC" source=[search index="XYZ" 
        |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
        | eval fieldval="\""+"src_"+YYYYMMDD+"\""  
        | table source YYYYMMDD fieldval
        | return $fieldval]

When I checked the above subsearch as a main search, every field value after table command was what I expected.

alt text

Unfortunately, the result was Error in 'collect' command: Invalid argument: 'src_20180705'

Could someone tell me why this happens and how to solve this problem?

Thanks.

Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎07-15-2018 11:37 PM

@tac24 can you not override the source field even before the collect command with the value you need?

| eval source= [<yourQueryToGetNewSource>]
| collect <yourCommandArguments>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

poete
Builder
‎07-15-2018 11:20 PM

Hello @tac24,

the documentation states : Syntax: source= (from http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect).

It seems that you have the same problem as this one : https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html

So, this should do :

main search... | collect index="ABC" source=[search index="XYZ" 
         |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
         | eval val="src_".YYYYMMDD
         | eval fieldval="\"".val."\""
         | table source YYYYMMDD fieldval
         | return $fieldval]
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...